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Why GAO Did This Study 


What GAO Found 


The Department of Defense (DOD) 
is responsible for ensuring that U.S. 
contractors safeguard classified 
information in their possession. 
DOD delegates this responsibility 
to its Defense Security Service 
(DSS), which oversees more than 
11,000 contractor facilities that are 
cleared to access classified 
information. Some U.S. contractors 
have foreign connections that may 
require measures to be put into 
place to reduce the risk of foreign 
interests gaining unauthorized 
access to classified information. 

In response to a Senate report 
accompanying the National 
Defense Authorization Act for 
Fiscal Year 2004, GAO assessed the 
extent to which DSS has assurance 
that its approach provides 
sufficient oversight of contractors 
under foreign ownership, control, 
or influence (FOCI). 


What GAO Recommends 


GAO recommends that DOD direct 
DSS to improve data collection and 
analysis of FOCI transactions and 
protective measures and direct DSS 
to systematically assess the 
effectiveness of the FOCI process 
to reduce risk of foreign interests 
gaining unauthorized access to 
classified information. DSS should 
formulate a human capital strategy 
and plan to evaluate whether its 
staff need better information, 
training, and tools to perform FOCI 
responsibilities. DOD did not 
concur with our recommendations 
and stated the process is sufficient. 


DSS’s oversight of contractors under FOCI depends on contractors self- 
reporting foreign business transactions such as foreign acquisitions. As part 
of its oversight responsibilities, DSS verifies the extent of the foreign 
relationship, works with the contractor to establish protective measures to 
insulate foreign interests, and monitors contractor compliance with these 
measures. In summary, GAO found that DSS cannot ensure that its approach 
to overseeing contractors under FOCI is sufficient to reduce the risk of 
foreign interests gaining unauthorized access to U.S. classified information. 

First, DSS does not systematically ask for, collect, or analyze information on 
foreign business transactions in a manner that helps it properly oversee 
contractors entrusted with U.S. classified information. In addition, DSS does 
not collect and track the extent to which classified information is left in the 
hands of a contractor under FOCI before measures are taken to reduce the 
risk of unauthorized foreign access. During our review, we found instances 
in which contractors did not report foreign business transactions to DSS for 
several months. We also found a contractor under foreign ownership that 
appeared to operate for at least 6 months with access to U.S. classified 
information before a protective measure was implemented to mitigate 
foreign ownership. 

Second, DSS does not centrally collect and analyze information to assess its 
effectiveness and determine what corrective actions are needed to improve 
oversight of contractors under FOCI. For example, DSS does not know the 
universe of all contractors operating under protective measures, the degree 
to which contractors are complying overall with measures, or how its 
oversight could be strengthened by using information such as 
counterintelligence data to bolster its measures. 

Third, DSS field staff face a number of challenges that significantly limit 
their ability to sufficiently oversee contractors under FOCI. Field staff told 
us they lack research tools and training to fully understand the significance 
of corporate structures, legal ownership, and complex financial relationships 
when foreign entities are involved. Staff turnover and inconsistencies over 
how guidance is to be implemented also detract from field staffs ability to 
effectively carry out FOCI responsibilities. 
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United States Government Accountability Office 
Washington, DC 20548 


July 15, 2005 

The Honorable John W. Warner 
Chairman 

Committee on Armed Services 
United States Senate 

The Honorable Carl Levin 
Ranking Minority Member 
Committee on Armed Services 
United States Senate 

The Department of Defense (DOD) depends on numerous U.S. contractor 
facilities to develop and produce military technologies, such as those used 
in tactical aircraft and military satellites, that require access to classified 
information. DOD’s Defense Security Service (DSS) on behalf of DOD and 
23 other federal departments administers the National Industrial Security 
Program, which was established to ensure that contractors appropriately 
safeguard classified information in their possession while performing 
work for the U.S. government. DSS is responsible for providing oversight 
and assistance to U.S. contractors that are cleared for access to classified 
information. Among these contractors are those under foreign ownership, 
control, or influence (FOCI)—that is, a situation in which a foreign 
interest has the power to decide matters affecting a contractor’s 
operations and that could result in unauthorized access to U.S. classified 
information or adversely affect the performance of classified contracts. 1 
The policy of the U.S. government is to allow foreign interests to invest in 
U.S. contractors as long as those investments do not pose a threat to U.S. 
national security interests. 

DSS depends on the contractor to self-report information about certain 
business transactions with foreign entities such as foreign ownership of a 
contractor’s stock. Once it becomes aware that a contractor has come 
under foreign influence through such transactions, DSS is responsible for 
verifying the extent of the foreign relationship. DSS and the contractor 


'FOCI is defined in the National Industrial Security Program Operating Manual, which 
prescribes the requirements, restrictions, and safeguards that contractors are to follow to 
prevent the unauthorized disclosure of classified information. 
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then work together to decide what appropriate action or measure is to be 
taken to protect U.S. classified information from unauthorized disclosure 
to foreign interests. DSS relies on a number of protective measures to 
reduce the risk of foreign entities having unauthorized access to classified 
information, including requiring a foreign owner to transfer title of 
company stock to U.S. citizen trustees approved by DOD. DSS is also 
responsible for monitoring the contractors’ implementation of the 
protective measures put in place to mitigate FOCI and relies on 
contractors to report instances of noncompliance with its protective 
measures. 

In a report accompanying the National Defense Authorization Act for 
Fiscal Year 2004, the Senate Armed Services Committee directed us to 
review DSS’s oversight of contractors with foreign business relationships. 
In response, we examined the extent to which DSS has assurance that its 
approach provides sufficient oversight of contractors under foreign 
ownership, control, or influence. 2 

To assess DSS’s oversight of U.S. contractors involved in foreign business 
transactions, we interviewed and obtained documentation from DSS 
headquarters, DSS field offices, and selected contractors operating under 
various protective measures. We reviewed DSS’s guidance and procedures 
for overseeing contractors that operate under FOCI and for monitoring 
contractors’ compliance with protective measures. We examined and 
analyzed 27 case files for contractors that had various types of foreign 
business transactions reviewed by DSS, which we discussed with DSS 
headquarters and field officials. We performed our work from June 2004 to 
May 2005 in accordance with generally accepted government auditing 
standards. Details on our scope and methodology can be found in 
appendix I. 


2 As part of its report accompanying the National Defense Authorization Act for Fiscal Year 
2004 (S. Rep. No. 108-46, at 346-346 (2003)), the Senate Committee on Armed Services also 
directed us to review DOD’s National Industrial Security Program. In response to that 
request, we assessed (1) DSS’s oversight of U.S. contractor facilities’ implementation of the 
National Industrial Security Program and (2) DSS’s adherence to required procedures after 
a security violation and possible compromise of classified information. Our assessment 
was detailed in the following report: GAO, Industrial Security: DOD Cannot Provide 
Adequate Assurance That Its Oversight Ensures the Protection of Classified Information, 
GAO-04-332 (Washington, D.C.: Mar. 3, 2004). 
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Results in Brief 


DSS cannot ensure that its oversight of contractors under FOCI is 
sufficient to reduce the risk of foreign interests gaining unauthorized 
access to U.S. classified information. First, DSS does not systematically 
ask for information that would allow it to know if contractors are 
reporting foreign business transactions when they occur. DSS also does 
not collect and track the extent to which classified information is 
accessible to a contractor under FOCI before measures are taken to 
reduce the risk of unauthorized foreign access. Without this information, 
DSS is limited in its ability to effectively oversee contractors under FOCI 
and take actions when needed to protect classified information from 
undue foreign access. During our review, we found instances in which 
contractors did not report foreign business transactions to DSS for several 
months. In addition, we found a contractor under foreign ownership that 
appeared to have had access to U.S. classified information for at least 6 
months before a protective measure was implemented. Second, DSS does 
not centrally collect and analyze information to assess its effectiveness 
and determine what corrective actions are needed to improve oversight of 
contractors under FOCI. For example, DSS does not know the total 
number of contractors operating under all protective measures and the 
degree to which contractors are complying overall with protective 
measures. Third, DSS field staff face a number of challenges in carrying 
out their responsibilities in overseeing contractors under FOCI. Field staff 
told us they lack research tools and training to fully understand the 
significance of corporate structures, legal ownership, and complex 
financial relationships when foreign entities are involved. Field staff also 
informed us that staff turnover further compounded these challenges. In 
addition, we found inconsistencies in how field staff understand and 
implement FOCI guidance. These challenges combined significantly limit 
DSS field staffs ability to sufficiently oversee contractors under FOCI to 
minimize the risk of unauthorized foreign access to U.S. classified 
information. 

In light of our findings, we are recommending that the Secretary of 
Defense take certain actions to (1) improve DDS’s knowledge of the timing 
of foreign business transactions, (2) assess the overall effectiveness of 
DSS’s oversight of contractors under FOCI, and (3) develop a human 
capital strategy that would provide the appropriate support for industrial 
security representatives. DOD did not concur with our recommendations. 
In commenting on a draft of our report, DOD indicated that it believes the 
FOCI process is adequate to ensure the protection of classified 
information. However, DOD did not provide evidence to support this 
belief. Given the vulnerabilities we identified in our report, our 
recommendations stand. 


Page 3 


GAO-05-681 Industrial Security 


Background 


The National Industrial Security Program was established in 1993 for the 
protection of classified information. DSS administers the National 
Industrial Security Program on behalf of DOD and 23 other federal 
departments and agencies. DSS is responsible for providing oversight, 
advice, and assistance to more than 11,000 U.S. contractor facilities that 
are cleared for access to classified information. Contractor facilities can 
range in size, be located anywhere in the United States, and include 
manufacturing plants, laboratories, and universities. About 221 industrial 
security representatives work out of 25 DSS field offices across the United 
States and serve as the primary points of contact for these facilities. DSS is 
responsible for ensuring that these contractors meet requirements to 
safeguard classified information under the National Industrial Security 
Program. Contractors must have facility security clearances under this 
program before they can work on classified contracts. 

To obtain a facility security clearance, contractors are required to self- 
report foreign business transactions on a Certificate Pertaining to Foreign 
Interests form. 3 Examples of such transactions include foreign ownership 
of a contractor’s stock, a contractor’s agreements or contracts with 
foreign persons, and whether non-U. S. citizens sit on a contractor’s board 
of directors. DSS’s industrial security representatives provide guidance to 
contractors on filling out the certificate. If a contractor declares no foreign 
business transactions on the certificate, DSS places the certificate in the 
contractor’s file located in the field. When U.S. contractors with facility 
security clearances have changes in foreign business transactions to 
report, they are required to complete the certificate again and resubmit it 
every 5 years, even if no foreign transactions take place. Because a U.S. 
company can own a number of contractor facilities, the corporate 
headquarters or another legal entity within that company is required to 
complete the certificate. 4 


3 Throughout our report, we refer to information reported by contractors on the Certificate 
Pertaining to Foreign Interests form, or the changes afterwards, as foreign business 
transactions. 

4 Each business structure has its own set of legal requirements. Within the National 
Industrial Security Program, the most common type of business structure is the 
corporation. A corporation may be organized as a single corporate entity, a multiple facility 
organization with divisions, or a parent-subsidiaiy relationship. Under a multiple facility 
organization, the home office is the legal entity, while the divisions are extensions of the 
legal entity. In a parent-subsidiary relationship, the parent and the subsidiary are separate 
legal entities. 
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When contractors declare foreign transactions on their certificates and 
notify DSS, industrial security representatives are responsible for ensuring 
that contractors properly identify all relevant foreign business 
transactions. They are also required to collect, analyze, and verify 
pertinent information about these transactions. For example, by 
examining various corporate documents, the industrial security 
representatives can determine corporate structures and ownership and 
identify key management officials. The representatives may consult with 
DSS counterintelligence officials, who can provide information about 
threats to U.S. classified information. If contractors’ answers on the 
certificates indicate that foreign transactions meet certain DSS criteria or 
exceed thresholds, such as the percentage of company stock owned by 
foreign persons, the representatives forward these FOCI cases to DSS 
headquarters. DSS headquarters works with contractors to determine 
what, if any, protective measures are needed to reduce the risk of foreign 
interests gaining unauthorized access to U.S. classified information. DSS 
field staff are then responsible for monitoring contractor compliance with 
these measures. Figure 1 shows highlights of the FOCI process. 


Page 5 


GAO-05-681 Industrial Security 



Figure 1: Overview of DSS’s FOCI Process 


Who is involved 
in the process 

Identification and 
verification of FOCI 

Mitigation of FOCI 

Oversight of 
contractors with FOCI 

Contractor 
facilities’ officials 

• Submit Certificate Pertaining to Foreign 
Interests along with supporting 
documentation to DSS 

• Submit plan to 

DSS headquarters for 
protective measures 

• Participate in DSS 
security review 

• Submit compliance report 
and hold annual FOCI 
meeting (when required) 
with DSS industrial security 
representatives 





Industrial security 
representatives in 
DSS field offices 

• Verify information in foreign interest 
certificate and in supporting documentation 

• Determine if answers on certificate meet 
criteria or exceed thresholds that require 
DSS headquarters’ review 

o If criteria are met or thresholds are 
exceeded, forward case to headquarters 
o If case does not require headquarters 
review, maintain documentation in field 
office file 


• Conduct security review 

• Review compliance report 
and attend annual FOCI 
meeting (when required) 
with contractors 





DSS headquarters 
officials 

• Conduct further review of contractor- 
supplied FOCI information 

• Determine need for protective 
measures 

• Review and approve 
contractors’ plans for 
protective measures 

• Hold initial meeting with 
contractors to discuss 
protective measures 

• Review compliance 
report and attend first 
annual FOCI meeting 
(when required) with 
contractors 


Source: DSS (data); GAO (analysis and presentation). 


On a case-by-case basis, DSS headquarters can approve the use by 
contractors of one of six types of protective measures: voting trust 
agreements, proxy agreements, special security agreements, security 
control agreements, board resolutions, and limited facility clearances. 
These protective measures are intended to insulate contractor facilities 
from undue foreign control and influence and to reduce the risk of 
unauthorized foreign access to classified information. Protective measures 
vary in the degree to which foreign entities are insulated from classified 
information and are not intended to deny foreign owners the opportunity 


Page 6 


GAO-05-681 Industrial Security 











to pursue business relationships with their U.S.-based contractor facilities 
working on classified contracts. Table 1 provides a general description of 
each of these protective measures. In addition to these measures, DSS can 
also require contractors to take certain actions to mitigate specific FOCI 
situations such as termination of loan agreements or elimination of debt 
owed to a foreign entity. 


Table 1: Types of Protective Measures 


Protective measure 

General description 

Voting trust agreement 

• Foreign owners transfer legal title to the stock of the foreign-owned U.S. company to U.S. citizen 
trustees that are approved by DOD 

Proxy agreement 

• Similar to a voting trust, except foreign owners retain legal title to the stock and transfer voting 
rights of stock to U.S. citizen proxy holders that are approved by DOD 

Special security agreement 

• Allows representatives of the foreign owner to be on the U.S. contractor’s board of directors but 
requires U.S. citizen outside directors that are approved by DOD 

• Contractors under a special security agreement are denied access to classified information such 
as Top Secret, special access, and other sensitive information unless DOD determines it is in 
the U.S. national interest and grants an exception 

Security control agreement 

• Similar to a special security agreement and used when contractor is not effectively owned or 
controlled by foreign person(s) 

• Unlike contractors under a special security agreement, contractors under a security control 
agreement are not denied access to classified information such as Top Secret, special access, 
and other sensitive information 

Board resolution 

• Resolution by contractor’s board of directors certifying that foreign shareholder(s) shall not have 
access to classified information or be permitted to hold positions that enable them to influence 
the performance of classified contracts 

Limited facility clearance 

• Requires industrial security agreement with the foreign government of the country from which 
foreign ownership is derived 

• Access to classified information is restricted to performance on a specific contract as defined by 
the government customer, but there is no restriction on foreign management control and 
influence 


Source: DSS (data); GAO (analysis and presentation). 


For contractors operating under voting trust, proxy, special security, or 
security control agreements, industrial security representatives are 
supposed to conduct annual FOCI meetings with contractor staff who are 
responsible for ensuring compliance with these protective measures. In 
preparation for these annual meetings, contractors are required to 
produce and submit to DSS annual FOCI compliance reports that can 
describe specific acts of noncompliance with protective measures, 
changes in organizational structure or changes in security procedures at 
the contractor, and other issues that have occurred over the course of a 
year. Industrial security representatives should then review the reports to 
determine how contractors are fulfilling their obligations under the 
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protective measures. In addition, DSS generally conducts security reviews 
annually for facilities that store classified information or every 18 months 
for facilities that do not have classified information on site. However, for 
contractors operating under voting trust, proxy, special security, or 
security control agreements, industrial security representatives are 
required to conduct a security review every 12 months whether the 
contractor has classified information on site or not. These reviews are 
designed to determine security vulnerabilities and contractor compliance 
with National Industrial Security Program requirements and to evaluate 
the overall quality of the facility’s security program, including compliance 
with protective measures to mitigate FOCI. 

DSS will not grant a new facility security clearance to a contractor until all 
relevant FOCI have been mitigated. In addition, DSS shall suspend an 
existing clearance if FOCI at a contractor facility has not been mitigated. A 
contractor with a suspended facility clearance can continue to work on an 
existing classified contract unless the government contracting office 
denies access to the existing contract. In addition, the contractor cannot 
be awarded a new classified contract until the clearance is restored. 


DSS’s Approach to 
Overseeing FOCI 
Contractors Is 
Insufficient 


DSS does not systematically ask for, collect, or analyze foreign business 
transactions in a manner that helps it properly oversee contractors 
entrusted with U.S. classified information, nor does DSS aggregate and 
analyze information to determine the overall effectiveness of its oversight 
of FOCI contractors. Notably, DSS does not know if contractors are 
reporting foreign business transactions as they occur and lacks knowledge 
about how much time a contractor facility with unmitigated FOCI has 
access to classified information. 5 Figure 2 shows a general description of 
gaps in DSS knowledge about the FOCI process. Furthermore, DSS field 
staff said they lack research tools and sufficient training regarding the 
subject of foreign transactions and have indicated challenges with regard 
to staff turnover. 


5 “Unmitigated FOCI” refers to situations in which contractors with facility security 
clearances are under FOCI and protective measures are needed but not yet implemented. 
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Figure 2: Knowledge Gaps in DSS’s FOCI Process 

Potential period of unmitigated FOCI 


FOCI business 
transaction 
occurs 

▼ 


DSS does not analyze DSS does not know how much time passes 

whether contractors before contractor implements the protective measure 

self-report transactions 

Source: DSS (data); GAO (analysis and presentation). 

Note: Per the National Industrial Security Program Operating Manual, DSS shall suspend the facility 
clearance of a contractor with unmitigated FOCI. 


Contractor self-reports 
FOCI transaction 
to DSS 

▼ 


If protective measure is required, 
DSS and contractor decide which type 
of measure to implement 


Contractor implements 
protective measure 


DSS’s FOCI process 



DSS Cannot Ensure Timely 
Reporting from FOCI 
Contractors or Determine 
the Extent to Which FOCI 
Is Unmitigated 


DSS does not systematically ask for information that would allow it to 
know if contractors are reporting certain foreign business transactions 
when they occur, which begins the process for reducing FOCI-related 
security risks. DSS industrial security representatives are responsible for 
advising contractors that timely notification of foreign business 
transactions is essential. The National Industrial Security Program 
Operating Manual requires contractors with security clearances to report 
any material changes of foreign business transactions previously notified 
to DSS but does not specify a time frame for doing so. DSS is dependent 
on contractors to self-report transactions by filling out the Certificate 
Pertaining to Foreign Interests form, but this form does not ask 
contractors to provide specific dates for when foreign transactions took 
place. In addition, DSS does not compile or analyze how much time passes 
before DSS becomes aware of foreign business transactions. DSS field 
staff told us that some contractors report foreign business transactions as 
they occur, while others report transactions months later, if at all. During 
our review, we found a few instances in which contractors were not 
reporting foreign business transactions when they occurred. One 
contractor did not report FOCI until 21 months after awarding a 
subcontract to a foreign entity. Another contractor hired a foreign national 
as its corporate president but did not report this transaction to DSS, and 
DSS did not know about the FOCI change until 9 months later, when the 
industrial security representative came across the information on the 
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contractor’s Web site. In another example, DSS was not aware that a 
foreign national sat on a contractor’s board of directors for 15 months 
until we discovered it in the process of conducting our audit work. 

Without timely notification from contractors, DSS cannot track when 
specific foreign business transactions took place and therefore is not in a 
position to take immediate action so that FOCI is mitigated, if necessary. 

In addition, DSS does not determine the time elapsed from reporting of 
foreign business transactions by contractors with facility clearances to the 
implementation of protective measures or when suspensions of facility 
clearances occur. Without protective measures in place, unmitigated FOCI 
at a cleared contractor increases the risk that foreign interests can gain 
unauthorized access to U.S. classified information. During our review, we 
found two cases in which contractors appeared to have operated with 
unmitigated FOCI before protective measures were implemented. For 
example, officials at one contractor stated they reported to DSS that their 
company had been acquired by a foreign entity. However, the contractor 
continued operating with unmitigated FOCI for at least 6 months. In the 
other example, a foreign-purchased contractor continued operating for 2 
months with unmitigated FOCI. Contractor officials in both examples told 
us that their facility clearances were not suspended. According to the 
National Industrial Security Program Operating Manual, DSS shall 
suspend the facility clearance of a contractor with unmitigated FOCI. DSS 
relies on field office staff to make this determination. Because information 
on suspended contractors with unmitigated FOCI is maintained in the 
field, DSS headquarters does not determine at an aggregate level the 
extent to which and under what conditions it suspends contractors’ 
facility clearances due to unmitigated FOCI. 


DSS Does Not Maintain 
Aggregate Information to 
Assess Overall 
Effectiveness of the FOCI 
Process 


DSS does not centrally collect and analyze information to determine the 
magnitude of contractors under FOCI and assess the effectiveness of its 
oversight of those contractors. For example, DSS does not know how 
many contractors under FOCI are operating under all types of protective 
measures and, therefore, does not know the extent of potential FOCI- 
related security risks. Although DSS tracks information on contractors 
operating under some types of protective measures, it does not centrally 
compile data on contractors operating under all types of protective 
measures. 6 Specifically, DSS headquarters maintains a central repository 


6 There may be multiple contractor locations under a particular protective measure, but the 
legal parent signs the measure that covers its divisions. 
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of data on contractors under voting trust agreements, proxy agreements, 
and special security agreements—protective measures intended to 
mitigate majority foreign ownership. However, information on contractors 
under three other protective measures—security control agreements, 
limited facility clearances, and board resolutions—are maintained in paper 
files in the field offices. 7 DSS does not aggregate data on contractors for all 
six types of protective measures and does not track and analyze overall 
numbers. In addition, DSS does not conduct overall analysis of foreign 
business transactions reported by contractors on their Certificate 
Pertaining to Foreign Interests forms or maintain aggregate information 
for contractors’ responses. Consequently, DSS does not know the universe 
of FOCI contractors operating under protective measures, and DSS cannot 
determine the extent to which contractors under FOCI are increasing or if 
particular types of foreign business transactions are becoming more 
prevalent. This information would help DSS target areas for improved 
oversight. According to DSS officials, centralizing and tracking 
information on contractors under all types of measures would require 
more resources because information is dispersed in paper files in DSS 
field offices around the country. 

DSS does not systematically compile and analyze trends from its oversight 
functions to identify overall compliance trends or concerns with 
implementation of protective measures by contractors. DSS industrial 
security representatives are responsible for ensuring compliance of FOCI 
contractors under certain protective measures through annual FOCI 
meetings where they discuss contractors’ compliance reports. s Industrial 
security representatives notify headquarters of the results of the meetings 
and place compliance reports and their own assessments in paper files 
located in field offices. However, DSS headquarters does not use annual 
compliance reports to assess trends to evaluate overall effectiveness of the 
FOCI process. 


' The field office files are the official record for documenting information on contractor 
facilities’ security programs and industrial security representatives’ interactions with those 
contractors, including those under FOCI. The paper folders contain such information as the 
identity of the facility owner, contractor-submitted Certificate Pertaining to Foreign 
Interests forms, and the results of the contractor’s last two security reviews. In addition to 
the file folders, DSS has a facilities database that contains information on facilities’ security 
programs. DSS officials acknowledged that the database is prone to data integrity and data 
loss problems that need to be addressed. 

8 The protective measures include voting trust, proxy, special security, and security control 
agreements. 
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Finally, the use of protective measures at FOCI contractor facilities was 
designed in part to counter attempts to gather classified information 
through unauthorized means. DSS does not assess trends from its own 
counterintelligence data or information gathered by other intelligence 
agencies to evaluate whether protective measures are effectively 
mitigating FOCI risk across the board. For example, a 2004 DSS 
counterintelligence report states that foreign information targeting 
through e-mail and Internet communication and collection methods is on 
the rise. However, according to DSS officials, not all protective measures 
at FOCI contractors include provisions to monitor e-mail or other Internet 
traffic. By assessing counterintelligence trends to analyze the effectiveness 
of protective measures in countering foreign information collection 
attempts, DSS could identify weaknesses in its protective measures and 
adjust them accordingly. 


DSS Industrial Security DSS’s field staff face numerous challenges: complexities in verifying FOCI 

Representatives Face cases, limited tools to research FOCI transactions, insufficient FOCI 

Challenges in Carrying Out training, staff turnover, and inconsistencies in implementing guidance on 

FOCI Responsibilities F0CI cases ' 

For industrial security representatives, verifying if a contractor is under 
FOCI is complex. Industrial security representatives cited various 
difficulties verifying FOCI information. To verify if a contractor is under 
FOCI, industrial security representatives are required to understand the 
corporate structure of the legal entity completing the Certificate 
Pertaining to Foreign Interests form and evaluate the types of foreign 
control or influence that exist for each entity within a corporate family. 
DSS officials informed us that tracing strategic company relationships, 
country of ownership, and foreign affiliations and suppliers, or reviewing 
corporate documentation—such as loan agreements, financial reports, or 
Securities and Exchange Commission filings—is complicated. For 
example, representatives are required to verify information on stock 
ownership by determining the distribution of the stock among the 
stockholders and the influence or control the stockholders may have 
within the corporation. This entails identifying the type of stock and the 
number of shares owned by the foreign person(s) to determine their 
authority and management prerogatives, which DSS guidance indicates 
may be difficult to ascertain in certain cases. According to DSS field 
officials, verifying information is especially difficult when industrial 
security representatives have limited exposure to FOCI cases. In some 
field offices we visited, industrial security representatives had few or no 
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FOCI cases and, therefore, had limited knowledge about how to verify 
foreign business transactions. 

Some industrial security representatives in one field office told us they do 
not always have the tools needed to verify if contractors are under FOCI. 
As part of their review process, industrial security representatives are 
responsible for verifying what a contractor reports on its Certificate 
Pertaining to Foreign Interests form and determining the extent of foreign 
interests in the company. Industrial security representatives conduct 
independent research using the Internet or return to the contractor for 
more information to evaluate the FOCI relationships and hold discussions 
with management officials, such as the chief financial officer, treasurer, 
and legal counsel. DSS headquarters officials told us additional 
information sources, such as the Dun and Bradstreet database of millions 
of private and public companies are currently not available in the field. 
However, some industrial security representatives stated that such 
additional resource tools would be beneficial for verifying complex FOCI 
information. 

In addition, industrial security representatives stated they lacked the 
training and knowledge needed to better verify and oversee contractors 
under FOCI. For example, DSS does not require its representatives to have 
financial or legal training. While some FOCI training is provided, 
representatives largely depend on DSS guidance and on-the-job training to 
oversee a FOCI contractor. In so doing, representatives work with more 
experienced staff or seek guidance, when needed, from DSS headquarters. 
In a 1999 review, DSS recognized that recurring training was necessary to 
ensure industrial security representatives remain current on complex 
FOCI issues and other aspects of the FOCI process. DSS headquarters 
officials said that they have held regionwide meetings where they 
discussed FOCI case scenarios and responded to questions about the FOCI 
process. However, we found that the training needs on complex FOCI 
issues are still a concern to representatives. In fact, many said they needed 
more training to help with their responsibility of verifying FOCI 
information, including how to review corporate documents, strategic 
company relationships, and financial reports. DSS field officials said the 
DSS training institute currently offers a brief training unit on FOCI 
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covering basic information. 9 DSS established a working group of DSS field 
and headquarters staff to look at ways to improve the training program, 
including more specific FOCI training. The group submitted 
recommendations in March 2005 to field managers for their review. 10 DSS 
is also planning to work with its training institute to develop additional 
FOCI courses to better meet the needs of the industrial security 
representatives. 

According to field staff, industrial security representatives operate in an 
environment of staff turnover, which can affect their in-depth knowledge 
of FOCI contractors. Officials from one-third of the field offices we 
reviewed noted staff retention problems. DSS officials at two of these field 
offices said that in particular they have problems retaining more 
experienced industrial security representatives. Field officials said that 
when an industrial security representative retires or leaves, the staff 
member’s entire workload is divided among the remaining representatives, 
who already have a substantial workload. In addition, DSS guidance 
advises field office officials to rotate contractor facilities among industrial 
security representative every 3 years, if possible, as a means of retaining 
DSS independence from the contractors. DSS officials told us the rotation 
can actually occur more frequently because of staff turnover. DSS 
headquarters officials said they are formulating a working group to help 
improve staff retention in the field. 

Compounding these challenges are inconsistencies among field offices in 
how industrial security representatives said they understood and 
implemented DSS guidance for reviewing contractors under FOCI. For 
example, per DSS guidance, security reviews and FOCI meetings should 
be performed every 12 months for contractors operating under special 
security agreements, security control agreements, voting trust agreements, 
and proxy agreements. However, we found that some industrial security 
representatives were inconsistent in implementing the guidance. For 
example, one representative said a contractor under a special security 


9 DSS officials told us that new industrial security representatives participate in a 12-week 
mentoring program prior to attending a 4-week course at the DSS training institute. The 
mentoring program consists of separate units that contain activities that must be 
completed before an industrial security representative is approved to attend the 4-week 
course. In either the program or the course, only one unit or section of training pertains to 
general FOCI information. 

10 According to DSS, the overall goal for this working group was to connect professional 
development to the individual employee, the budget, and DSS’s mission. 
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agreement was subject to a security review every 18 months because the 
contractor did not store classified information on-site. 11 In addition, two 
industrial security representatives told us they did not conduct annual 
FOCI meetings for contractors that were operating under a proxy 
agreement and security control agreement, respectively. We also found 
that industrial security representatives varied in their understanding or 
application of DSS guidance for when they should suspend a contractor’s 
facility clearance when FOCI is unmitigated. The guidance indicates that 
when a contractor with a facility clearance is determined to be under 
FOCI that requires mitigation by DSS headquarters, the facility security 
clearance shall be suspended until a protective measure is implemented. 
However, we were told by officials in some field offices that they rarely 
suspend clearances when a contractor has unmitigated FOCI as long as 
the contractor is demonstrating good faith in an effort to provide 
documentation to DSS to identify the extent of FOCI and submits a FOCI 
mitigation plan to DSS. Officials in other field offices said they would 
suspend a contractor’s facility clearance once they learned the contractor 
had unmitigated FOCI. 


Conclusions 


The protection of classified information has become increasingly 
important in light of the internationalization of multibillion-dollar 
cooperative development programs, such as a new-generation fighter 
aircraft, and a growing number of complex cross-border industrial 
arrangements. Although such developments offer various economic and 
technological benefits, there can be national security risks when foreign 
companies control or influence U.S. contractors with access to classified 
information. Given the growing number of DOD contractors with 
connections to foreign countries, it is critical for DSS to ensure that 
classified information is protected from unauthorized foreign access. In 
carrying out its responsibilities, DSS is dependent on self-reported 
information from the contractors about their foreign activities, creating 
vulnerabilities outside of DSS’s control. Within this environment, unless 
DSS improves the collection and analysis of key information and provides 
its field staff with the training and tools they need to perform FOCI 
responsibilities, DSS will continue to operate without knowing how 


11 DSS reported in a 1999 review of its FOCI process that the oversight by industrial 
security representatives was not always consistent, and at that time DSS recommended 
that FOCI companies should be assessed annually rather than on an 18-month schedule. 
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effective its oversight is at reducing the risk of foreign interests gaining 
unauthorized access to U.S. classified information. 


Recommendations for i m P rove knowledge of the timing of foreign business transactions and 

reduce the risk of unauthorized foreign access to classified information, 
Executive Action we recommend that the Secretary of Defense direct the director of DSS to 

take the following three actions: 

• clarify when contractors need to report foreign business transactions 
to DSS, 

• determine how contractors should report and communicate dates of 
specific foreign business transactions to DSS, and 

• collect and analyze when foreign business transactions occurred at 
contractor facilities and when protective measures were implemented 
to mitigate FOCI. 

To assess overall effectiveness of DSS oversight of contractors under 
FOCI, we recommend that the Secretary of Defense direct the director of 
DSS to take the following three actions: 

• collect and analyze data on contractors operating under all protective 
measures as well as changes in types and prevalence of foreign 
business transactions reported by contractors; 

• collect, aggregate, and analyze the results of annual FOCI meetings, 
contractors’ compliance reports, and data from the counterintelligence 
community; and 

• develop a plan to systematically review and evaluate the effectiveness 
of the FOCI process. 

To better support industrial security representatives in overseeing 
contractors under FOCI, we recommend the Secretary of Defense direct 
the director of DSS to formulate a human capital strategy and plan that 
would encompass the following two actions: 

• evaluate the needs of representatives in carrying out their FOCI 
responsibilities and 
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• determine and implement changes needed to job requirements, 
guidance, and training to meet FOCI responsibilities and explore 
options for improving resource tools and knowledge-sharing efforts 
among representatives. 


Agency Comments 
and Our Evaluation 


In commenting on a draft of our report, DOD disagreed with our 
conclusions that improvements are needed to ensure sufficient oversight 
of contractors under FOCI, and it also disagreed with our 
recommendations to improve oversight. Overall, DOD’s comments 
indicate that it believes that the actions DSS takes when it learns of FOCI 
at contractors is sufficient. However, DOD has not provided evidence 
necessary to support its assertions. In fact, we found two cases in which 
contractors appeared to have operated with unmitigated FOCI before 
protective measures were put into place. Unmitigated FOCI at contractors 
increases the risk that foreign interests can gain unauthorized access to 
U.S. classified information. Further, DOD states that we did not establish a 
link between collecting and analyzing FOCI data and the effectiveness of 
DSS’s oversight or the protection of classified information. We found that 
DSS lacks fundamental FOCI information—including information on the 
universe of FOCI contractors and trends in overall contractor compliance 
with protective measures—that is needed to determine the effectiveness 
of the FOCI process and the sufficiency of oversight. Ultimately, without 
making this determination, DSS cannot adequately ensure it is taking 
necessary steps to reduce the risk of foreign interests gaining 
unauthorized access to classified information. Unless our 
recommendations are implemented, we are concerned that DSS will 
continue to operate on blind faith that its FOCI process is effective and its 
oversight is su ffi cient,. 

DOD did not concur with seven of our recommendations and only partially 
concurred with the eighth. Regarding our first three recommendations, 
which aim to improve DSS’s knowledge of the timing of foreign business 
transactions and reduce the risk of unauthorized foreign access to 
classified information, DOD argues that having such information will not 
help protect classified information. However, as we noted in our report, 
without this information, DSS is not in a position to know when FOCI 
transactions occur so that timely protective measures can be implemented 
to mitigate FOCI as needed—the purpose of the FOCI process. 

Regarding our next three recommendations, which aim to enable DSS to 
assess the overall effectiveness of its oversight of contractors under FOCI, 
DOD argues that it does not need to collect and analyze information on the 
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universe of contractors under FOCI and trends in foreign business 
transactions, or aggregate compliance and counterintelligence 
information. However, without this information, DSS limits its ability to 
identify vulnerabilities in the FOCI process and to target areas for 
improving oversight of contractors, including potential changes to 
protective measures. DOD also argues that it has three mechanisms to 
systematically evaluate DSS’s processes: DSS’s Inspector General, a 
management review process for industrial security field office oversight, 
and a standards and quality program. However, DOD has not provided 
evidence in its comments that these mechanisms are focused on 
systematically reviewing and evaluating the effectiveness of the FOCI 
process. 

Regarding our last two recommendations—to formulate a human capital 
strategy and plan that would better support industrial security 
representatives in overseeing FOCI contractors—DOD does not believe 
that its industrial security representatives need additional support. DOD 
supports this belief with two points. First, DOD states that because less 
than 3 percent of the approximately 12,000 cleared companies overseen by 
DSS have any FOCI mitigation, most DSS industrial security 
representatives do not oversee such contractors. Yet it is unclear how 
DOD arrived at these figures because DSS does not collect and analyze 
information on all contactors operating under protective measures. 
Regardless of the number of these contractors, industrial security 
representatives must have adequate support—including training and 
guidance—to verify if contractors are under FOCI and to ensure 
contractors comply with any protective measures put in place. In the 
course of our review, we found that industrial security representatives are 
not sufficiently equipped to fulfill their FOCI responsibilities. Second, 

DOD noted that DSS is under new leadership and is exploring operational 
improvements as well as implementing a new industrial security 
information management system. While it is too early to assess the effect 
of these proposals, it is also unclear how these efforts will bring about any 
needed changes to industrial security representatives’job requirements, 
guidance, tools, and training. 

As we concluded in our report, DSS’s dependence on self-reported 
information from contractors about their foreign activities creates 
vulnerabilities outside of DSS’s control. Given these vulnerabilities, it is 
imperative that DSS improve the collection and analysis of key 
information on the FOCI process and provide its industrial security 
representatives with the training and tools they need to perform their 
FOCI responsibilities. If DSS continues to operate without knowing how 
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effective its oversight is and does not support the representatives in 
carrying out their FOCI responsibilities, then the value of DSS’s 
management and the FOCI process should be open for further 
examination. Therefore, we did not modify our recommendations. 


DOD also provided technical comments, which we addressed. DOD’s letter 
is reprinted in appendix II, along with our evaluation of its comments. 


We are sending copies of this report to interested congressional 
committees; the Secretary of Defense; the Director, Defense Security 
Service; the Assistant to the President for National Security Affairs; and 
the Director, Office of Management and Budget. We will make copies 
available to others upon request. In addition, this report will be available 
at no charge on the GAO Web site at http://www.gao.gov. 

If you have any questions about this report, please contact me at (202) 
512-4841. Major contributors to this report are Anne-Marie Lasowski, 

Maria Durant, Ian A. Ferguson, Suzanne Sterling, Kenneth E. Patton, Lily J. 
Chin, and Karen Sloan. 



Ann Calvaresi-Barr 
Director 

Acquisition and Sourcing Management 
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Appendix I: Scope and Methodology 


To assess the Defense Security Service’s (DSS) process for determining 
and overseeing contractors under foreign ownership, control, or influence 
(FOCI), we reviewed Department of Defense (DOD) regulations and 
guidance on FOCI protective measures included in the National 
Industrial Security Program Operating Manual, and the Industrial 
Security Operating Manual, as well as DSS policies, procedures, and 
guidance for verifying contractors under FOCI and for overseeing them. 

We discussed with DSS officials at headquarters and field locations how 
they use DSS guidance to oversee FOCI contractors. We also discussed 
DSS roles and responsibilities for headquarters and field staff and 
challenges in overseeing contractors that report FOCI and the use of FOCI 
information to evaluate effectiveness of the process. We reviewed DSS 
training materials to learn about the type of training DSS offers industrial 
security representatives in meeting their FOCI responsibilities. We also 
examined FOCI studies conducted by DSS to determine the results of 
earlier DSS reviews of the FOCI process. 

We visited nine field offices that varied in how many FOCI contractors 
they monitored and in their geographic location. Through discussions with 
DSS officials at headquarters in Alexandria, Virginia, and from nine field 
offices, we identified FOCI contractors operating under various protective 
measures and examined DSS actions to verify FOCI and oversee the 
implementation of protective measures at contractor facilities. We 
collected information on a nonrepresentative sample of 27 contractor 
facility case files reviewed by DSS for FOCI. In addition, we visited 8 of the 
27 contractor facilities and spoke with security officials, corporate 
officers, and board members to obtain additional clarification on the types 
of protective measures and the FOCI process. 

We spoke with DSS headquarters and field staff regarding actions taken to 
implement protective measures and reviewed supporting documentation 
maintained by DSS and contractor facilities. During our visits to nine field 
offices, we discussed the contents of selected contractor facility file 
folders to understand how DSS oversees contractors’ implementation of 
protective measures, determines unmitigated FOCI, and assesses the 
effectiveness of the FOCI process. Because we did not take a statistical 
sample of case files, the results of our analyses cannot be generalized. 
However, we confirmed that the data used to select the files that we 
reviewed were consistent with the information in the facility files that we 
reviewed. 
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Appendix II: Comments from the Department 
of Defense 


GAO’s comments 
supplementing those in 
the report text appear at 
the end of this appendix. 


See comment 1. 


See comment 2. 


See comment 3. 


OFFICE OF THE UNDER SECRETARY OF DEFENSE 

5000 DEFENSE PENTAGON 
WASHINGTON, DC 20301-5000 

JUN 2 9 2005 

Ms. Ann Calvaresi-Barr, Director 
Acquisition and Sourcing Management 
U.S. Government Accountability Office 
Washington, D.C. 20548 

Dear Ms. Calvaresi-Barr: 

This is the Department of Defense (DoD) response to the GAO draft report (OS- 
681), “INDUSTRIAL SECURITY: DOD Cannot Ensure Its Oversight of Contractors 
under Foreign Influence Is Sufficient,” dated June 10, 2005 (GAO Code 120348). 

In response to a Senate report accompanying the National Defense Authorization 
Act for Fiscal 2004, your organization was tasked to assess the extent to which the 
Defense Security Service (DSS) “has assurance that its approach provides sufficient 
oversight of contractors under foreign ownership, control or influence (FOCI).” While 
you found that DSS does not have a process for collecting and analyzing certain FOCI 
data, the report never made the nexus between collecting and analyzing data and 
protection of classified information or the effectiveness of DSS oversight. 

The report demonstrates a lack of understanding of the national policy governing 
access to classified information by our contractor population and the evaluation process 
used by DSS to ensure that classified information is properly protected. FOCI is handled 
on a case-by-case basis in accordance with national policy approved by all Federal 
Agencies that participate in the National Industrial Security Program (NISP). When DSS 
becomes aware of FOCI, an assessment is made regarding the risk to classified 
information in the specific situation. The nature and source of the foreign ownership, the 
sensitivity of the information, the relationship of the foreign source’s government with 
our government, and the nature of agreements between the governments involved, all are 
taken into account to determine the risk. If there is any indication of risk to classified 
information the government customer is notified and appropriate action is taken to protect 
the classified information. All companies that have a facility security clearance have 
cleared United States citizens responsible for protecting that classified information. For 
it to be at risk, even by FOCI, cleared United States citizens have to break the law by 
providing it to unauthorized individuals. 

Specific responses to the report’s recommendations are attached, as are some 
technical comments. While there is always room for improvement in any process, I find 


o 



INTELLIGENCE 
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Appendix II: Comments from the Department 
of Defense 


See comment 4. 


See comment 5. 


GAO DRAFT REPORT DATED JUNE 10, 2005 
GAO-05-681 (GAO CODE 120348) 

"INDUSTRIAL SECURITY: DOD Cannot Ensure Its Oversight of 
Contractors under Foreign Influence Is Sufficient,” 

DEPARTMENT OF DEFENSE COMMENTS 
TO THE GAO RECOMMENDATIONS 


RECOMMENDATION 1 : The GAO recommended that the Secretary of Defense direct 
the director of Defense Security Service (DSS), to clarify when contractors need to report 
foreign business transactions to DSS. (p. 16 GAO Draft Report) 

DOD RESPONSE : 

Non-concur. 

The National Industrial Security Program Operating Manual (NISPOM), which 
promulgates national industrial security policy to the contractor community, is very clear 
about the contractor-reporting requirement. NISPOM paragraph l-302.h(5): 

“Any material change concerning the information previously reported by 
the contractor concerning foreign ownership, control or influence (FOCI). 
This report shall be made by the submission of a CSA-designated form. 
When submitting this form, it is not necessary to repeat answers that have 
not changed. When entering into discussions, consultations or agreements 
that may reasonable lead to effective ownership or control of a foreign 
interest, the contractor shall report the details by letter.” 

The report states that contractors self-report “foreign business transactions.” There 
is no NISPOM requirement to report “foreign business transactions” nor is there any 
utility in contractors reporting every transaction with a foreign source. Contractors are 
required to report material changes to information already reported and that information is 
then reviewed to determine if further action is required. In addition, as part of a facility’s 
annual security review, DSS routinely asks company management about changes to the 
facility’s reported FOCI. Self-reporting is the only mechanism we can rely on to gather 
the information and since all other Federal Agencies, to include Internal Revenue and 
Social Security, depend on companies to self-report, we do not see a concern. If 
information comes to DSS’ attention through other means they follow-up and take 
appropriate action. The NISPOM is contractually imposed. Failure to report is a 
compliance issue. 
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of Defense 


See comment 6. 


See comment 7. 

See comment 8. 


RECOMMENDATION 2 : The GAO recommended that the Secretary of Defense direct 
the director of DSS, to determine how contractors should report and communicate dates 
of specific foreign business transactions to DSS. (p. 16 GAO Draft Report) 

POD RESPONSE : 

Non-concur. 

See response to Recommendation #1. The NISPOM provides requirements to 
contractors on reporting requirements. The policy direction is that at the time that a 
material change occurs concerning the FOCI information previously reported by the 
contractor, the reporting requirement applies. The policy applies to all contractors of 
Executive Branch agencies under the National Industrial Security Program (NISP), in 
accordance with Executive Order (EO) 12829. Any change to the contractor reporting 
requirements requires a change to national policy. DSS is not responsible for developing 
or promulgating national policy. 

DSS responsibility under the NISP specifically pertains to the national security and 
oversight of contractor access to classified information. Having information on the dates 
of foreign business transactions does not contribute to ensuring that classified information 
is protected. The length of time between a “foreign business transaction” occurring, the 
reporting of that event if it needs to be reported, the decision that a mitigating instrument 
should be put in place, and the actual imposition of a mitigating instrument does not 
directly relate to unauthorized disclosure of classified information. 

RECOMMENDATION 3: The GAO recommended that the Secretary of Defense direct 
the director of DSS, to collect and analyze when foreign business transactions occurred at 
contractor facilities and when protective measures were implemented to mitigate FOCI. 

(p. 16 GAO Draft Report) 

POD RESPONSE : 

Nonconcur. 

See response to Recommendations #1 and #2. The length of time involved in 
putting a mitigating instrument in place does not directly relate to unauthorized disclosure 
of classified information. 

The DSS role is overseeing the protection of classified information. From the time 
that DSS receives a report from a contractor that involves FOCI, DSS works with the 
contractor to ensure that, regardless of the length of time involved, classified information 


Page 24 


GAO-05-681 Industrial Security 





Appendix II: Comments from the Department 
of Defense 


See comment 9. 


See comment 10. 


See comment 4. 


See comment 11. 


is protected while the FOCI is analyzed and an appropriate mitigating instrument is 
determined and put in place. Every effort is made to ensure that the contractor can 
continue to work so long as the contractor is negotiating FOCI negation or mitigation in 
good faith. If DSS has reason to believe that classified information cannot be adequately 
protected as a result of a FOCI-related change, DSS has the option of invalidating the 
facility clearance until all issues are resolved. If FOCI cannot be negated or mitigated, 
DSS revokes the facility clearance. 

RECOMMENDATION 4: The GAO recommended that the Secretary of Defense direct 
the director of DSS, to collect and analyze data on contractors operating under all 
protective measures as well as changes in types and prevalence of foreign business 
transactions reported by contractors, (p. 16 GAO Draft Report) 

POD RESPONSE : 

Nonconcur. 

This recommendation was indicated in the report as a way for the Secretary of 
Defense to assess DSS oversight. An analysis of protective measures and changes in the 
types and prevalence of foreign business transactions reported by contractors does not 
appear to provide value in assessing DSS’s effectiveness in ensuring the protection of 
classified information in industry. 

There is no requirement for contractors to report all “foreign business transactions” 
to DSS. The reporting requirement for contractors pertains only to those FOCI-related 
events that may impact the contractor’s ability to maintain their facility clearance and 
perform on classified contracts. There is no basis for DSS to be able to analyze changes 
in the types and prevalence of foreign business transactions. 

RECOMMENDATION 5: The GAO recommended that the Secretary of Defense direct 
the director of DSS, to collect, aggregate, and analyze the results of annual foreign 
ownership, control or influence (FOCI) meetings, contractors’ compliance reports, and 
data from the counterintelligence community, (p. 16 GAO Draft Report) 

POD RESPONSE : 

Nonconcur. 

This recommendation was indicated in the report as a way for the Secretary of 
Defense to assess DSS oversight. Of the approximately 12,000 cleared contractors, fewer 
than 3% are under any type of FOCI mitigating mechanisms; i.e., board resolutions, 
limited facility clearances, voting trusts, proxies, Special Security Arrangements, or 
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See comment 12. 


See comment 13. 


See comment 11. 


Security Control Agreements. Analysis of an aggregation of the results of annual 
meetings, compliance reports, and Cl data does not appear to provide value in assessing 
DSS effectiveness in ensuring the protection of classified information in industry. The 
DSS Industrial Security Representative (IS Rep) uses the results of the annual meetings, 
compliance reports, and Cl data to assess an individual contractor’s ability to protect 
classified information. 

RECOMMENDATION 6: The GAO recommended that the Secretaiy of Defense direct 
the director of DSS, to develop a plan to systemically review and evaluate the 
effectiveness of the FOCI process, (p. 16 GAO Draft Report) 

POD RESPONSE : 

Nonconcur. 

The Director of DSS already has three separate processes in place to systematically 
review and evaluate the effectiveness of the agency’s processes. DSS has an Inspector 
General, a management review process for industrial security field office oversight and a 
standards and quality program. 

RECOMMENDATION 7: The GAO recommended that the Secretary of Defense direct 
the director of DSS, to evaluate the needs of representatives in carrying out their FOCI 
responsibilities, (p. 16 GAO Draft Report) 

POD RESPONSE : 

Nonconcur. 

Since the Defense Industrial Security Program has been in place since the early 
1950’s, superseded by the National Industrial Security Program in 1993, the needs of 
representatives in carrying out their FOCI responsibilities are well known. 

The report indicates that DSS Industrial Security personnel lacked the training and 
knowledge to identify complex business structures and to oversee contractors with FOCI. 
As less than 3% of the approximately 12,000 cleared companies overseen by DSS have 
any FOCI mitigation, most DSS industrial security personnel do not oversee such 
contractors. The report does not differentiate between DSS personnel whose duties 
actually require them to oversee complex FOCI and personnel whose duties do not. The 
four-week on site training for industrial security personnel includes one week on the 
facility clearance process to include FOCI. On site training is preceded by 12 weeks of 
on the job training and mentoring by senior industrial security personnel. The DSS 
Industrial Security Operating Manual also contains extensive coverage on business 
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See comment 14. 


structures and FOCI processing. The DSS facility clearance and FOCI process requires 
the industrial security representative to gather information and do a cursory analysis. 
When a specific threshold is reached the case is referred to a specialist who has the 
expertise to review the documentation and reach an appropriate conclusion. While 
personnel can always have additional training and DSS leadership is reviewing the 
training requirements for their personnel, it is our position that the DSS personnel who 
have the responsibility to handle complex FOCI situations are properly trained. 

RECOMMENDATION 8: The GAO recommended that the Secretary of Defense direct 
the director of DSS, to determine and implement changes needed to job requirements, 
guidance, and training to meet FOCI responsibilities and explore options for improving 
resource tools and knowledge-sharing efforts among representatives, (p. 16 GAO Draft 
Report) 

POD RESPONSE : 

Partially concur. 

DSS continually assesses its conduct of the industrial security program, as does 
OSD in its oversight role. We recognize, however, that there is always room for 
improvement. DSS has undergone a transformation in the last two years with significant 
changes in leadership and mission. With a new Deputy Director of Industrial Security in 
place at DSS, a new strategic direction for program operations is being formulated. New 
management provides the opportunity to explore options for operational improvements. 
Some initiatives are already underway, including an assessment of the skill sets and 
training required to effectively carry out the industrial security mission, as well as a career 
path for the industrial security professional that should aid in recruitment and retention of 
skilled personnel. 

A new industrial security information management system is nearing the final 
stages of requirements definition and development, which will improve the ability to 
centrally manage data, while enhancing the ability to share information and ideas across 
geographic boundaries. This will allow geographically dispersed IS Reps to more 
effectively assess classified government programs with multiple contracts and 
subcontracts and provide assurances to the government customers that classified 
information is protected across programs. 
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The following are GAO’s comments on the Department of Defense’s letter 
dated June 29, 2005. 


GAO’s Comments 


It is unclear how DOD came to the conclusion that our report lacks an 
understanding of the national policy governing contractors’ access to 
classified information, given that our description of the policy and 
process in the background of our report is taken directly from 
documentation provided by DSS. Further, DOD did not provide in its 
technical comments any suggested amendments to remove perceived 
misunderstandings from our report. 


2. Cleared U.S. citizens need not break the law for foreign interests to 
gain unauthorized access to classified information or adversely affect 
performance of classified contracts. Classified information can be at 
risk when foreign nationals at a cleared FOCI contractor facility are 
not identified and timely protective measures are not established to 
mitigate their influence. 

3. DOD’s position that there is little in our report that would enable DSS 
to improve the FOCI process or justify the cost of implementing our 
recommendations underscores the department’s failure to grasp the 
gravity of our findings. DOD has neither systematically evaluated the 
effectiveness of its FOCI process nor identified opportunities to 
strengthen its oversight for contractors under FOCI. Our 
recommendations specifically target correcting these weaknesses. 
Further, raising concerns about cost without evaluating the 
effectiveness of its FOCI process is shortsighted. 

4. According to the National Industrial Security Program Operating 
Manual, contractors are required to report material changes to FOCI 
information previously reported and every 5 years, even if no change 
occurs. We added a footnote to further clarify the definition of foreign 
business transactions used in our report. 


5. DOD’s response concerning self-reporting underscores the 

department’s complacency regarding its responsibility to take actions 
needed to prevent foreign interests from gaining unauthorized access 
to U.S. classified information. While we recognize that DSS is 
dependent on self-reporting and that some vulnerabilities are outside 
of DSS’s control, there are numerous steps DOD could take to mitigate 
these vulnerabilities. For example, if DSS implemented our 
recommendation to clarify when reporting should occur and require 
reporting dates when specific foreign business transactions took place, 
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then DSS could monitor whether contractors are reporting foreign 
transactions on time and put mitigation measures in place, as 
appropriate. 

6. While DOD maintains that contractors are to report material changes 
concerning FOCI information as they occur, we found that the 
National Industrial Security Program Operating Manual does not 
state this. As we reported, DSS field staff told us that while some 
contractors report transactions as they occur, some do not report 
transactions until months later, if at all. Specifying a time frame for 
contractors could result in more timely reporting of these transactions. 

7. As we reported, the FOCI process begins when a contractor reports 
FOCI information. Having information on when foreign transactions 
occur would enable DSS to take timely action to impose safeguards or 
restrictions authorized by the National Industrial Security Program 
Operating Manual. 

8. Unmitigated FOCI at a cleared contractor increases the risk that 
foreign interests can gain unauthorized access to U.S. classified 
information. During our review, we found two cases in which 
contractors appeared to have operated with unmitigated FOCI before 
protective measures were put in place. Therefore, it is important to 
know the length of time between when a foreign transaction occurs 
and when protective measures are put in place to mitigate FOCI. 

9. According to the National Industrial Security Program Operating 
Manual, a contractor under FOCI with an existing facility clearance 
shall have its clearance suspended or revoked unless protective 
measures are established to remove the possibility of unauthorized 
access to classified information or adversely affect performance on 
classified contracts. DOD’s characterization of DSS having the option 
to suspend the clearance of contractors with unmitigated FOCI seems 
to differ from what is stated in the manual. 

10. It is unclear why DOD does not see the value in collecting information 
on contractors operating under all six protective measures, when DSS 
already centrally collects information on contractors operating under 
three measures. DSS cannot assess the overall effectiveness of its 
FOCI process unless it has a complete and accurate account of 
contractors operating under all types of protective measures. 

11. It is unclear how DOD determined that less than 3 percent of its 
cleared contractors are operating under all six protective measures 
because DSS does not centrally collect and analyze this information 
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for all six measures. In addition, the most recent information provided 
to us by DSS indicated that there are about 11,000 contractor facilities 
participating in the National Industrial Security Program, rather than 
the 12,000 cited in DOD’s comments. Further, DOD did not provide 
technical comments to revise the number of contractor facilities stated 
in our report. 

12. Industrial security representatives may use the results of annual 
meetings, compliance reports, and counterintelligence data to assess 
an individual contractor’s security posture. However, as stated in our 
report, DSS does not systematically compile and analyze trends from 
these oversight activities. Aggregating overall compliance and 
counterintelligence trends is valuable because it would allow DSS to 
identify actual or potential weaknesses, evaluate effectiveness, and 
take actions as needed to improve its FOCI process. 

13. Citing how long the program has been in existence misses the point, 
and DOD does not provide evidence that the needs of representatives 
are well known. As we reported, industrial security representatives 
face numerous challenges in carrying out their FOCI responsibilities, 
which formulates the basis of our recommendation to evaluate the 
needs of the representatives. Assessing their needs is particularly 
important given the increasingly complex environment—characterized 
by international cooperative defense programs and a growing number 
of cross-border defense industrial relationships—in which industrial 
security representatives work. 

14. As stated in our report, industrial security representatives told us they 
lacked the training and knowledge they needed to verify complex 
FOCI cases and oversee contractors under FOCI. 
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